Cyber Resilience

CVE-2026-31773

High

Published: 01 May 2026

Published
01 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 20.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31773 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31773 affects the Linux kernel's Bluetooth Security Manager Protocol (SMP), specifically the legacy responder path in the smp_random() function. The vulnerability causes the stored Short Term Key (STK) to be incorrectly labeled as authenticated whenever the pending_sec_level is BT_SECURITY_HIGH, reflecting the local service's request rather than the actual pairing outcome. In Just Works or Confirm legacy pairing flows, where SMP_FLAG_MITM_AUTH remains clear, the resulting STK should remain unauthenticated, but the flaw fails to enforce this, misaligning key metadata with the pairing result.

An attacker in an adjacent network (AV:A) can exploit this issue with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U), as scored at 8.8 by CVSS v3.1. This enables potential misuse of improperly authenticated Bluetooth keys during legacy pairing.

Mitigation is available via patches in Linux kernel stable branches, including commits such as 061ee71ac6b03c9f8432fe49538c3682bfcf4cf3, 0afc846bd80073ffcd2b8040f2b2fafaea3d9f72, 20756fec2f0108cb88e815941f1ffff88dc286fe, 667f44f1392df6482483756458c48670e579e9ff, and 929db734d12db41ca5f95424db4612397f1bd4a7. These updates derive the legacy responder STK authentication from the actual MITM state and align the legacy path with Secure Connections handling, which treats Just Works/Just Confirm pairings as unauthenticated.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what…

more

the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Kernel Bluetooth SMP logic flaw allows adjacent-network exploitation of remote pairing service (T1210) and enables successful Adversary-in-the-Middle attacks via mislabeled authenticated STK in legacy Just Works flows (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43018Same product: Linux Linux Kernel
CVE-2024-58087Same product: Linux Linux Kernel
CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-31717Same product: Linux Linux Kernel
CVE-2026-23457Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31536Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel
CVE-2026-31393Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.16, 7.0 · 3.15.5 — 3.16 · 3.16.1 — 5.10.253 · 5.11 — 5.15.203

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of kernel flaws like CVE-2026-31773 to remediate the incorrect STK authentication labeling.

prevent

Requires proper management of cryptographic keys such as the STK, ensuring metadata accurately reflects the actual MITM authentication state achieved during Bluetooth SMP pairing.

prevent

Establishes controls for wireless access including Bluetooth, enforcing usage restrictions and protections against misuse of improperly authenticated pairing keys.

References